Skip to content

Dynamic fields

Dynamic fields represent computed or derived values, typically related to threat intelligence about an HTTP request.

The Cloudflare Rules language supports these dynamic fields.

cf.bot_management.verified_bot

cf.bot_management.verified_bot Boolean

When true, this field indicates the request originated from a known good bot or crawler. Provides the same information as cf.client.bot.

cf.verified_bot_category

cf.verified_bot_category String

Provides the type and purpose of a verified bot. For more details, refer to Verified Bot Categories.

cf.bot_management.score

cf.bot_management.score Number

Represents the likelihood that a request originates from a bot using a score from 1–99. A low score indicates that the request comes from a bot or an automated agent. A high score indicates that a human issued the request.

cf.bot_management.static_resource

cf.bot_management.static_resource Boolean

Indicates whether static resources should be included when you create a rule using cf.bot_management.score. For more details, refer to Static resource protection.

cf.bot_management.ja3_hash

cf.bot_management.ja3_hash String

Provides an SSL/TLS fingerprint to help you identify potential bot requests. For more details, refer to JA3/JA4 Fingerprint.

cf.bot_management.ja4

cf.bot_management.ja4 String

Provides an SSL/TLS fingerprint to help you identify potential bot requests. For more details, refer to JA3/JA4 Fingerprint.

cf.bot_management.js_detection.passed

cf.bot_management.js_detection.passed Boolean

Indicates whether the visitor has previously passed a JS Detection. For more details, refer to JavaScript detections.

cf.bot_management.detection_ids

cf.bot_management.detection_ids Array<Number>

List of IDs that correlate to the Bot Management heuristic detections made on a request (you can have multiple heuristic detections on the same request). Use this field to explicitly match a specific heuristic or to exclude a heuristic in a rule.

Example:

any(cf.bot_management.detection_ids[*] eq 33554817)

cf.client.bot

cf.client.bot Boolean

When true, this field indicates the request originated from a known good bot or crawler. Provides the same information as cf.bot_management.verified_bot.

cf.edge.server_ip

cf.edge.server_ip IP address

Represents the global network’s IP address to which the HTTP request has resolved. This field is only meaningful for BYOIP customers.

cf.edge.server_port

cf.edge.server_port Number

Represents the port number at which the Cloudflare global network received the request. Use this field to filter traffic on a specific port. The value is a port number in the range 1–65535.

cf.hostname.metadata

cf.hostname.metadata String

Returns the string representation of the per-hostname custom metadata JSON object set by SSL for SaaS customers.

cf.random_seed

cf.random_seed Bytes

Returns per-request random bytes that you can use in the uuidv4() function.

cf.ray_id

cf.ray_id String

The Ray ID of the current request. A Ray ID is an identifier given to every request that goes through Cloudflare.

cf.threat_score

cf.threat_score Number

Represents a Cloudflare threat score from 0–100, where 0 indicates low risk. Values above 10 may represent spammers or bots, and values above 40 identify bad actors on the Internet. It is rare to see values above 60. A common recommendation is to challenge requests with a score above 10 and to block those above 50.

cf.tls_cipher

cf.tls_cipher String

The cipher for the connection to Cloudflare.

Example:

"AES128-SHA256"

cf.tls_client_auth.cert_revoked

cf.tls_client_auth.cert_revoked Boolean

Returns true when a request presents a valid but revoked client certificate. When true, the cf.tls_client_auth.cert_verified field is also true.

cf.tls_client_auth.cert_verified

cf.tls_client_auth.cert_verified Boolean

Returns true when a request presents a valid client certificate. Also returns true when a request includes a valid certificate that was revoked (refer to cf.tls_client_auth.cert_revoked).

cf.tls_client_auth.cert_presented

cf.tls_client_auth.cert_presented Boolean

Returns true when a request presents a certificate (valid or not).

cf.tls_client_auth.cert_issuer_dn

cf.tls_client_auth.cert_issuer_dn String

The Distinguished Name (DN) of the Certificate Authority (CA) that issued the certificate included in the request.

Example:

"CN=Access Testing CA,OU=TX,O=Access Testing,L=Austin,ST=Texas,C=US"

cf.tls_client_auth.cert_subject_dn

cf.tls_client_auth.cert_subject_dn String

The Distinguished Name (DN) of the owner (or requester) of the certificate included in the request.

Example:

"CN=James Royal,OU=Access Admins,O=Access,L=Austin,ST=Texas,C=US"

cf.tls_client_auth.cert_issuer_dn_rfc2253

cf.tls_client_auth.cert_issuer_dn_rfc2253 String

The Distinguished Name (DN) of the Certificate Authority (CA) that issued the certificate in the request in RFC 2253 format.

Example:

"CN=Access Testing CA,OU=TX,O=Access Testing,L=Austin,ST=Texas,C=US"

cf.tls_client_auth.cert_subject_dn_rfc2253

cf.tls_client_auth.cert_subject_dn_rfc2253 String

The Distinguished Name (DN) of the owner (or requester) of the certificate in the request in RFC 2253 format.

Example:

"CN=James Royal,OU=Access Admins,O=Access,L=Austin,ST=Texas,C=US"

cf.tls_client_auth.cert_issuer_dn_legacy

cf.tls_client_auth.cert_issuer_dn_legacy String

The Distinguished Name (DN) of the Certificate Authority (CA) that issued the certificate in the request in a legacy format.

Example:

"/C=US/ST=Texas/L=Austin/O=Access Testing/OU=TX/CN=Access Testing CA"

cf.tls_client_auth.cert_subject_dn_legacy

cf.tls_client_auth.cert_subject_dn_legacy String

The Distinguished Name (DN) of the owner (or requester) of the certificate in the request in a legacy format.

Example:

"/C=US/ST=Texas/L=Austin/O=Access/OU=Access Admins/CN=James Royal"

cf.tls_client_auth.cert_serial

cf.tls_client_auth.cert_serial String

Serial number of the certificate in the request.

Example:

"527E0F20A20EA2A4146C78390F34CE7AF0878CA4"

cf.tls_client_auth.cert_issuer_serial

cf.tls_client_auth.cert_issuer_serial String

Serial number of the direct issuer of the certificate in the request.

Example:

"2688201DBA77402EA87118876F2E1B24CF8B0395"

cf.tls_client_auth.cert_fingerprint_sha256

cf.tls_client_auth.cert_fingerprint_sha256 String

The SHA-256 fingerprint of the certificate in the request.

Example:

"af363dc85bc942a892d3cee9796190fdb36d89cd588a4f1cb17c74a943439714"

cf.tls_client_auth.cert_fingerprint_sha1

cf.tls_client_auth.cert_fingerprint_sha1 String

The SHA-1 fingerprint of the certificate in the request.

Example:

"933ad5282c560ae3f482a43ecd73bc9de878a190"

cf.tls_client_auth.cert_not_before

cf.tls_client_auth.cert_not_before String

The certificate in the request is not valid before this date.

Example:

"Mar 21 13:35:00 2022 GMT"

cf.tls_client_auth.cert_not_after

cf.tls_client_auth.cert_not_after String

The certificate in the request is not valid after this date.

Example:

"Mar 21 13:35:00 2023 GMT"

cf.tls_client_auth.cert_ski

cf.tls_client_auth.cert_ski String

The Subject Key Identifier (SKI) of the certificate in the request.

Example:

"27846FAE6EAC4A8DAD9101B519CF1EB460242831"

cf.tls_client_auth.cert_issuer_ski

cf.tls_client_auth.cert_issuer_ski String

The Subject Key Identifier (SKI) of the direct issuer of the certificate in the request.

Example:

"8204924CF49D471E855862706D889F58F6B784D3"

cf.tls_client_extensions_sha1

cf.tls_client_extensions_sha1 String

The SHA-1 fingerprint of TLS client extensions, encoded in Base64.

Example:

"OWFiM2I5ZDc0YWI0YWYzZmFkMGU0ZjhlYjhiYmVkMjgxNTU5YTU2Mg=="

cf.tls_client_hello_length

cf.tls_client_hello_length Number

The length of the client hello message sent in a TLS handshake. Specifically, the length of the bytestring of the client hello.

Example:

508

cf.tls_client_random

cf.tls_client_random String

The value of the 32-byte random value provided by the client in a TLS handshake, encoded in Base64. Refer to RFC 8446 for more details.

Example:

"YWJjZA=="

cf.tls_version

cf.tls_version String

The TLS version of the connection to Cloudflare.

Example:

"TLSv1.2"

cf.waf.content_scan.has_obj

cf.waf.content_scan.has_obj Boolean

When true, the request contains at least one content object.

For more details, refer to Malicious uploads detection.

cf.waf.content_scan.has_malicious_obj

cf.waf.content_scan.has_malicious_obj Boolean

When true, the request contains at least one malicious content object.

For more details, refer to Malicious uploads detection.

cf.waf.content_scan.num_malicious_obj

cf.waf.content_scan.num_malicious_obj Integer

The number of malicious content objects detected in the request (zero or greater).

For more details, refer to Malicious uploads detection.

cf.waf.content_scan.has_failed

cf.waf.content_scan.has_failed Boolean

When true, the file scanner was unable to scan all the content objects detected in the request.

For more details, refer to Malicious uploads detection.

cf.waf.content_scan.num_obj

cf.waf.content_scan.num_obj Integer

The number of content objects detected in the request (zero or greater).

For more details, refer to Malicious uploads detection.

cf.waf.content_scan.obj_sizes

cf.waf.content_scan.obj_sizes Array<Integer>

An array of file sizes in bytes, in the order the content objects were detected in the request.

For more details, refer to Malicious uploads detection.

cf.waf.content_scan.obj_types

cf.waf.content_scan.obj_types Array<String>

An array of file types in the order the content objects were detected in the request. If Cloudflare cannot determine the file type of a content object, the corresponding value in the obj_types array will be application/octet-stream.

For more details, refer to Malicious uploads detection.

cf.waf.content_scan.obj_results

cf.waf.content_scan.obj_results Array<String>

An array of scan results in the order the content objects were detected in the request. The possible values are: clean, suspicious, infected, and not scanned.

For more details, refer to Malicious uploads detection.

cf.waf.score

cf.waf.score Number

A global score from 1 to 99 that combines the score of each WAF attack vector into a single score. This is the standard WAF attack score to detect variants of attack patterns.

cf.waf.score.sqli

cf.waf.score.sqli Number

An attack score from 1 to 99 classifying the SQL injection (SQLi) attack vector.

cf.waf.score.xss

cf.waf.score.xss Number

An attack score from 1 to 99 classifying the cross-site scripting (XSS) attack vector.

cf.waf.score.rce

cf.waf.score.rce Number

An attack score from 1 to 99 classifying the command injection or Remote Code Execution (RCE) attack vector.

cf.waf.score.class

cf.waf.score.class String

The attack score class of the current request, based on the WAF attack score. Can have one of the following values: attack, likely_attack, likely_clean, clean.

cf.waf.auth_detected

cf.waf.auth_detected Boolean

When true, the Cloudflare WAF detected authentication credentials in the request.

Only available when leaked credentials detection is enabled.

cf.waf.credential_check.password_leaked

cf.waf.credential_check.password_leaked Boolean

When true, the password detected in the request was previously leaked.

Only available when leaked credentials detection is enabled.

cf.waf.credential_check.username_leaked

cf.waf.credential_check.username_leaked Boolean

When true, the username detected in the request was previously leaked.

Only available when leaked credentials detection is enabled.

cf.waf.credential_check.username_and_password_leaked

cf.waf.credential_check.username_and_password_leaked Boolean

When true, the authentication credentials detected in the request (username and password pair) were previously leaked.

Only available when leaked credentials detection is enabled.

cf.waf.credential_check.username_password_similar

cf.waf.credential_check.username_password_similar Boolean

When true, a similar version of the username and password credentials detected in the request were previously leaked.

Only available when leaked credentials detection is enabled.

cf.worker.upstream_zone

cf.worker.upstream_zone String

Identifies whether a request comes from a worker or not. When a request comes from a worker, this field will hold the name of the zone for that worker. Otherwise, cf.worker.upstream_zone is empty.

Corporate Proxy

The Bot Management Corporate Proxy field contains identified cloud-based corporate proxies and secure web gateways that are Enterprise-only, and provide outbound security services to their clients.

You can access the Corporate Proxy field in custom rules, rate limiting rules, or Workers to provide different security rules for traffic from these sources. You can also exempt them from rules using Bot Management scores.

Example
not cf.bot_management.verified_bot
and not cf.bot_management.static_resource
and not cf.bot_management.corporate_proxy
and cf.bot_management.score lt 30

JSON Web Tokens Validation claims

API Shield users can now create custom rules using claims present in tokens processed by JSON Web Tokens Validation.

aud (audience)

http.request.jwt.claims.aud Map<Array<String>>
http.request.jwt.claims.aud.names Array<String>
http.request.jwt.claims.aud.values Array<String>

The aud (audience) claim identifies the recipients that the JSON Web Token (JWT) is intended for. Each principal intended to process the JWT must identify itself with a value in the audience claim. In the general case, the aud value is an array of case-sensitive strings, each containing a StringOrURI value.

Refer to the Registered Claim Names in RFC 7519 for more information.

iat (issued at)

http.request.jwt.claims.iat.sec Map<Array<Integer>>
http.request.jwt.claims.iat.sec.names Array<String>
http.request.jwt.claims.iat.sec.values Array<Integer>

The iat (issued at) claim identifies the time (number of seconds) at which the JWT was issued.

Refer to the Registered Claim Names in RFC 7519 for more information.

iss (issuer)

http.request.jwt.claims.iss Map<Array<String>>
http.request.jwt.claims.iss.names Array<String>
http.request.jwt.claims.iss.values Array<String>

The iss (issuer) claim identifies the principal that issued the JWT.

Refer to the Registered Claim Names in RFC 7519 for more information.

jti (JWT ID)

http.request.jwt.claims.jti Map<Array<String>>
http.request.jwt.claims.jti.names Array<String>
http.request.jwt.claims.jti.values Array<String>

The jti (JWT ID) claim provides a unique identifier for the JWT.

Refer to the Registered Claim Names in RFC 7519 for more information.

nbf (not before)

http.request.jwt.claims.nbf.sec Map<Array<Integer>>
http.request.jwt.claims.nbf.sec.names Array<String>
http.request.jwt.claims.nbf.sec.values Array<Integer>

The nbf (not before) claim identifies the time (number of seconds) before which the JWT must not be accepted for processing.

Refer to the Registered Claim Names in RFC 7519 for more information.

sub (subject)

http.request.jwt.claims.sub Map<Array<String>>
http.request.jwt.claims.sub.names Array<String>
http.request.jwt.claims.sub.values Array<String>

The sub (subject) claim identifies the principal that is the subject of the JWT. The claims in a JWT are normally statements about the subject.

Refer to the Registered Claim Names in RFC 7519 for more information.